Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 25. Enhancing security with the kernel integrity subsystem

Use components of the kernel integrity subsystem to improve system security. Configure relevant components such as IMA signature-based appraisal and remote attestation.

25.1. The kernel integrity subsystem
Copier lien

The kernel integrity subsystem protects system integrity by detecting file tampering and enabling remote attestation. It includes the Integrity Measurement Architecture (IMA) and the Extended Verification Module (EVM).

Integrity Measurement Architecture (IMA)

IMA maintains the integrity of file content. It includes three features that you can enable through an IMA policy:

  • IMA-Measurement: Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote.
  • IMA-Appraisal: Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access.
  • IMA-Audit: Store the calculated file content hash or signature in the system audit log.
Extended Verification Module (EVM)
The EVM protects file metadata, including extended attributes related to system security such as security.ima and security.selinux. EVM stores a reference hash or HMAC for these security attributes in security.evm and uses it to detect if the file metadata has been changed maliciously.

To ensure only authorized package files are executed, enable signature-based IMA appraisal by running the ima-setup command with the sample policy. From RHEL 9, all package files are signed per file.

Procedure

  1. Run ima-setup to enable signature-based IMA appraisal: 

    # ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signatures

    This command:

    • Stores package file signature in security.ima for all installed packages.
    • Includes the dracut integrity module to load the IMA code signing key to kernel.
    • Copies the policy to /etc/ima/ima-policy so systemd loads it at boot time.

Verification

  • The ip command can be successfully executed.

  • If ip is copied to /tmp, by default, it loses its security.ima and therefore ip command is not executed. 

    # cp /usr/sbin/ip /tmp
# /tmp/ip
     
    bash: /tmp/ip: Permission denied
     
    # /tmp/ip doesn't have security.ima
# getfattr -m security.ima -d /tmp/ip
# whereas /usr/sbin/ip has
# getfattr -m security.ima /usr/sbin/ip
# file: usr/sbin/ip
     
    security.ima=0sAwIE0zIESQBnMGUCMQCLXZ7ukyDcguLgPYwzXU16dcVrmlHxOta7vm7EUfX07Nf0xnP1MyE//AZaqeNIKBoCMFHNDOuA4uNvS+8OOAy7YEn8oathfsF2wsDSZi+NAoumC6RFqIB912zkRKxraSX8sA==

If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.

25.3. Enabling remote attestation with IMA measurement
Copier lien

To verify system integrity by using remote attestation tools such as Keylime, you must enable Integrity Measurement Architecture (IMA) measurement. A signed sample measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Deploy and run the policy that meets your requirements.

Prerequisites

  • A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation.

Procedure

  1. Install the rpm-plugin-ima package: 

    # dnf install rpm-plugin-ima

  2. Reinstall the ima-evm-utils package so that the sample policies have IMA signatures stored in extended attributes: 

    # dnf reinstall ima-evm-utils

  3. Confirm that the IMA signature has been stored: 

    # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/share/ima/policies/02-keylime-remote-attestation
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/share/ima/policies/02-keylime-remote-attestation: verification is OK

  4. Copy the signed measurement policy with extended attributes preserved to /etc/ima/ima-policy so systemd automatically loads it on boot: 

    # cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policy

  5. Enable the dracut integrity module so the IMA key loads at boot time: 

    # cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/ima.conf

  6. Regenerate the initramfs to include the integrity module: 

    # dracut -f

    • On s390x systems, additionally run zipl to apply the changes for the next IPL (initial program load): 

      # zipl

  7. Reboot to load the IMA key: 

    # systemctl reboot
    Warning

    On systems with Secure Boot enabled, the kernel does not accept unsigned IMA policies. If you load a policy before the IMA code-signing key is available to the kernel, the load fails and the next reboot can hang. Therefore, you must load the policy after the key is available.

    If the sample policy does not meet your requirements, see Loading an IMA policy signed by your custom IMA key.

Verification

  • Verify that the policy is loaded: 

    # cat /sys/kernel/security/integrity/ima/policy
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début